Axon Data Schema Fields
The following sections describe the intended purpose for each of the fields within the Axon Data Schema.
Not all the Data Schema fields are available for assignment through Policy Builder. These fields are assigned by the Axon system as part of normal message processing. Fields that are "mappable" can be assigned within Policy Builder, whereas fields that aren't are set by Axon and cannot be changed.
Origin, Target, and Observer Fields
Account Name vs. ID vs. Email vs. UPN
Some log sources and their messages produce confusing results. There are several sources that use email addresses as their account names and others that use some type of ID. Axon’s approach to these attributes is to store them in separate fields based on their context.
User Principal Names (UPNs) are generally unique to Microsoft products. They are used in both the Windows Operating Systems and in Microsoft Azure. These should not be confused with email addresses or Account Names.
The Email fields are only relevant when the messages are describing email-related traffic. This could be message tracking, message inspection, or some other controls specifically for the email message transportation, inspection, or management contexts.
The ID field is meant to be used in conjunction with the Name field and not on its own. An Account ID is some internal identifier that the producing log source uses to track account objects. A common example is the SID value in Windows environments.
The Name field is the most used field. When a message describes an account object, it most frequently references the Name attribute. This could take many shapes, including that of an email address.
Account Fields
Field Name | Canonical ID | Description | Mappable? | Data Type |
|---|---|---|---|---|
Origin Account DN | origin.account.distinguished_name | The Distinguished Name associated with the Origin Account. | True | String |
Target Account DN | target.account.distinguished_name | The Distinguished Name associated with the Target Account. | True | String |
Origin Account Domain | origin.account.domain | The domain name of the Origin Account. | True | String |
Target Account Domain | target.account.domain | The domain name of the Target Account. | True | String |
Origin Account Email | origin.account.email_address | The email address of the Origin Account. The sender in any email tracking message. | True | String |
Target Account Email | target.account.email_address | The email address of the Target Account. The recipient(s) in any email tracking message. | True | |
Origin Account ID | origin.account.id | A unique ID associated with the Origin Account. This is separate from the Name, UPN, and other attributes. This is represented by a SID in Windows environments. | True | String |
Target Account ID | target.account.id | A unique ID associated with the Target Account. This is separate from the Name, UPN, and other attributes. This is represented by a SID in Windows environments. | True | String |
Origin Account Name | origin.account.name | The name of the Origin Account. | True | String |
Target Account Name | target.account.name | The name of the Target Account. | True | String |
Origin Account Phone | origin.account.phone | The phone number of the Origin Account. | True | String |
Target Account Phone | target.account.phone | The phone number of the Target Account. | True | String |
Origin Account UPN | origin.account.user_principal_name | The User Principal Name of the Origin Account. These are formatted like email addresses, but should not be confused as such. | True | String |
Target Account UPN | target.account.user_principal_name | The User Principal Name of the Target Account. These are formatted like email addresses, but should not be confused as such. | True | String |
Observer Account DN | observer.account.distinguished_name | The Distinguished Name associated with the Observer Account. | True | String |
Observer Account Domain | observer.account.domain | The domain name of the Observer Account. | True | String |
Observer Account Email | observer.account.email_address | The email address of the Observer Account. | True | |
Observer Account ID | observer.account.id | A unique ID associated with the Observer Account. This is separate from the Name, UPN, and other attributes. This is represented by a SID in Windows environments. | True | String |
Observer Account Name | observer.account.name | The name of the Observer Account. | True | String |
Observer Account Session ID | observer.account.session.id | The ID of the session under which the Observer Account operated. | True | String |
Observer Account Session Name | observer.account.session.name | The name of the session under which the Observer Account operated. | True | String |
Observer Account Session Type | observer.account.session.type | The type of session under which the Observer Account operated. | True | String |
Observer Account UPN | observer.account.user_principal_name | The User Principal Name of the Observer Account. These are formatted like email addresses, but should not be confused as such. | True | String |
| Origin Account Display Name | origin.account.display_name | The display name of the origin account. | False | String |
| Target Account Display Name | target.account.display_name | The display name of the target account. | False | String |
Host Fields
Field Name | Canonical ID | Description | Mappable? | Data Type |
|---|---|---|---|---|
Origin Host DN | origin.host.distinguished_name | The Distinguished Name of the Origin Host. | True | String |
Target Host DN | target.host.distinguished_name | The Distinguished Name of the Target Host. | True | String |
Origin Host Domain | origin.host.domain.name | The domain of the Origin Host. | True | String |
Target Host Domain | target.host.domain | The domain of the Target Host. | True | String |
Origin Host ID | origin.host.id | A unique ID associated with the Origin Host. | True | String |
Target Host ID | target.host.id | A unique ID associated with the Target Host. | True | String |
Origin Host Interface Name | origin.host.interface.name | The name of the Origin Host’s Interface. | True | String |
Target Host Interface Name | target.host.interface.name | The name of the Target Host’s Interface. | True | String |
Origin Host IP | origin.host.ip_address.value | The IP Address of the Origin Host. | True | IP |
Target Host IP | target.host.ip_address.value | The IP Address of the Target Host. | True | IP |
Origin Host NAT IP | origin.host.ip_address.nat_value | The NAT IP Address of the Origin Host. | True | IP |
Target Host NAT IP | target.host.ip_address.nat_value | The NAT IP Address of the Target Host. | True | IP |
Origin Host City | origin.host.location.city | The geographic city associated with the Origin Host. | True | String |
Target Host City | target.host.location.city | The geographic city associated with the Target Host. | True | String |
Origin Host Region/State | origin.host.location.region | The geographic region or state associated with the Origin Host. | True | String |
Target Host Region/State | target.host.location.region | The geographic region or state associated with the Target Host. | True | String |
Origin Host Country | origin.host.location.country | The geographic country associated with the Origin Host. | True | String |
Target Host Country | target.host.location.country | The geographic country associated with the Target Host. | True | String |
Origin Host Geo | origin.host.location.geo_location | The geographic coordinates (latitude/longitude) associated with the Origin Host. | True | Geo_Point |
Target Host Geo | target.host.location.geo_location | The geographic coordinates (latitude/longitude) associated with the Target Host. | True | Geo_Point |
Origin Host MAC | origin.host.mac_address | The MAC Address of the Origin Host. | True | MAC |
Target Host MAC | target.host.mac_address | The MAC Address of the Target Host. | True | MAC |
Origin Host Name | origin.host.name | The name of the Origin Host. | True | String |
Target Host Name | target.host.name | The name of the Target Host. | True | String |
Origin Host IP Port | origin.host.network_port.value | The network port number used by the Origin Host. | True | Integer |
Target Host IP Port | target.host.network_port.value | The network port number used by the Target Host. | True | Integer |
Origin Host NAT IP Port | origin.host.network_port.nat_value | The NAT Network port number used by the Origin Host. | True | Integer |
Target Host NAT IP Port | target.host.network_port.nat_value | The NAT Network port number used by the Target Host. | True | Integer |
Origin Host OS Platform | origin.host.os.platform | The operating system platform of the Origin Host. | True | String |
Target Host OS Platform | target.host.os.platform | The operating system platform of the Target Host. | True | String |
Origin Host OS Version | origin.host.os.version | The version of the OS running on the Origin Host. | True | String |
Target Host OS Version | target.host.os.version | The version of the OS running on the Target Host. | True | String |
Origin Host Serial | origin.host.serial_number | The serial number of the Origin Host. | True | String |
Target Host Serial | target.host.serial_number | The serial number of the Target Host. | True | String |
Origin Host Version | origin.host.version | The version of the Origin Host. | True | String |
Target Host Version | target.host.version | The version of the Target Host. | True | String |
Observer Host DN | observer.host.distinguished_name | The distinguished name of the Observer Host. | True | String |
Observer Host Domain | observer.host.domain | The domain of the Observer Host. | True | String |
Observer Host Egress Int | observer.host.egress_interface | The interface name on the Observer Host that network traffic was sent. | True | String |
Observer Host Ingress Int | observer.host.ingress_interface | The interface name on the Observer host that network traffic was received. | True | String |
Observer Host ID | observer.host.id | A unique ID associated with the Observer Host. | True | String |
Observer Host IP | observer.host.ip_address.value | The IP address of the Observer Host. | True | IP |
Observer Host NAT IP | observer.host.ip_address.nat_value | The NAT IP address of the Observer Host. | True | IP |
Observer Host City | observer.host.location.city | The geographic city associated with the Observer Host. | True | String |
Observer Host Region/State | observer.host.location.region | The geographic region or state associated with the Observer Host. | True | String |
Observer Host Country | observer.host.location.country | The geographic country associated with the Observer Host. | True | String |
Observer Host Geo | observer.host.location.geo_location | The geographic coordinates (latitude/longitude) associated with the Observer Host. | True | Geo_Point |
Observer Host Name | observer.host.name | The name of the Observer Host. | True | String |
Observer Host OS Platform | observer.host.os.platform | The operating system platform of the Observer Host. | True | String |
Observer Host OS Version | observer.host.os.version | The version of the OS running on the Observer Host. | True | String |
Observer Host Serial | observer.host.serial_number | The serial number of the Observer Host. | True | String |
Observer Host Version | observer.host.version | The version of the Observer Host. | True | String |
Action Fields
Action fields contain data relevant to specific types of actions described by log messages. There is a set of fields that are valid across all the action types, and additional fields that are specific to certain types of actions.
General Action Fields
Field Name | Canonical ID | Description | Mappable? | Data Type |
|---|---|---|---|---|
Action Command Statement | action.command | Any command data, such as get, put, set, or rename, associated with the action. | True | String |
Action Duration | action.duration | The duration, in seconds, of the action. | True | Integer |
Action Message | action.message | A general message that describes the action. | True | String |
Action Repeat Count | action.repeat_count | The number of times the same message was duplicated. Some messages indicate that it was repeated a number of times. | True | Integer |
Action State | action.state | The current state of the action. | True | String |
Action Start Time | action.timestamp_start | The timestamp for when the described action started. | True | Date |
Action End Time | action.timestamp_end | The timestamp for when the described action ended. | True | Date |
Action Type | action.type | The type of action described. | True | String |
Action User Agent String | action.user_agent | The user agent string used to attempt the action described. | True | String |
Action Session ID | action.session.id | The ID of the session under which the action was performed. | True | String |
Action Session Name | action.session.name | The name of the session under which the action was performed. | True | String |
Action Session Type | action.session.type | The type of session under which the action was performed. | True | String |
Result Message | action.result.message | The full description of the result of the attempted action. | True | String |
Result Code | action.result.code | A code used by the log source to describe the result of the attempted action. Most commonly, this is an error code. | True | String |
Result Reason | action.result.reason | The reason provided by the source for the result of the attempted action. | True | String |
Aggregation Actions
Aggregation actions are performed by the Axon analytics subsystem.
Field Name | Canonical ID | Description | Mappable? | Data Type |
|---|---|---|---|---|
Aggregation Count | action.aggregation.count | The computed count of aggregated items. | False | Integer |
Aggregation Group | action.aggregation.key | An array of any schema fields aggregated around. | False | String |
Aggregation Group Num | action.aggregation.key_length | The length of the Group array. | False | Integer |
Aggregation ID | action.aggregation.message_id | An array of Message IDs associated with the aggregation. | False | String |
Aggregation ID Num | action.aggregation.message_id_length | The length of the ID array. | False | Integer |
Aggregation Maximum | action.aggregation.max | The computed maximum value of aggregated items. | False | Integer |
Aggregation Minimum | action.aggregation.min | The computed minimum value of aggregated items. | False | Integer |
Aggregation Sum | action.aggregation.sum | The computed sum value of aggregated items. | False | Integer |
Authentication Actions
Authentication actions describe attempts to authenticate to a system, device, or application.
Field Name | Canonical ID | Description | Mappable? | Data Type |
|---|---|---|---|---|
Admin Rights Status | action.authentication.admin_session | An indicator of whether an authentication attempt included administrator rights. | True | String |
Authentication Key Size | action.authentication.key_size | The size of the encryption key used in the authentication request. | True | Integer |
Authentication Method | action.authentication.authentication_method | The method used in the authentication attempt. This could include methods such as local, radius, ldap, etc. | True | String |
Authentication Package | action.authentication.authentication_package | The Microsoft Windows authentication package used by the authentication process. | True | String |
Authentication Trusted Process | action.authentication.trusted_process_name | The Microsoft Windows trusted process name used by the authentication process. | True | String |
LanMan Package | action.authentication.lm_package | The Microsoft Windows LAN Manager package used by the authentication process. | True | String |
Kerberos Encryption Type | action.authentication.kerberos.encryption_type | The cryptographic suite used by the Kerberos authentication attempt. | True | String |
Kerberos PreAuth Type | action.authentication.kerberos.preauth_type | The Kerberos PreAuth type used by the authentication attempt. These are described in RFC6113. | True | String |
Kerberos Realm | action.authentication.kerberos.realm_name | The Kerberos Realm specified in the authentication attempt. A realm is a set of managed nodes that share the same Kerberos database. | True | String |
Kerberos Ticket Options | action.authentication.kerberos.ticket_options | A 32-bit variable representing the ticket options (Forwardable, Renewable, Canonicalize, etc.) in the Kerberos ticket. | True | String |
Change Actions
Change actions describe attempts to modify or alter a policy, configuration, or setting.
Field Name | Canonical ID | Description | Mappable? | Data Type |
|---|---|---|---|---|
Pre-Change Value | action.change.original_value | The original value of the object or attribute before the change. | True | String |
Post-Change Value | action.change.new_value | The value of the object or attribute after the change. | True | String |
DNS Actions
DNS actions describe activities related to DNS resolution.
Field Name | Canonical ID | Description | Mappable? | Data Type |
|---|---|---|---|---|
DNS Query | action.dns.query | The query requested by the source. Typical queries are either a forward or reverse lookup. | True | String |
DNS Record Type | action.dns.record_type | The record type in the DNS Query. The most common is an A record query. | True | String |
DNS Result | action.dns.result | The response to the query from the DNS resolver. | True | String |
Health Actions
Health actions describe system and service health.
Field Name | Canonical ID | Description | Mappable? | Data Type |
|---|---|---|---|---|
Health Uptime | action.health.uptime | The time value since the system or device was started. | True | Integer |
Health Previous State | action.health.previous_state | The previous health state of the host, device, application, or component. | True | String |
Health New State | action.health.new_state | The current health state of the host, device, application, or component. | True | String |
Network Actions
Network actions describe network traffic activities.
Field Name | Canonical ID | Description | Mappable? | Data Type |
|---|---|---|---|---|
Network Application Name | action.network.application | The application used in the network traffic. | True | String |
Network Direction | action.network.direction | The direction indicated for the network traffic. | True | String |
Network HTTP Method | action.network.http_method | The HTTP method command documented in the message. These are defined under RFC2616. | True | String |
Network SSID | action.network.ssid | The service set identifier for the wireless network’s name. | True | String |
Network Protocol ID | action.network.protocol.id | The IANA protocol number used by the network traffic. | True | Integer |
Network Protocol Name | action.network.protocol.name | The IANA protocol name used by the network traffic. | True | String |
Packets Sent | action.network.packet_information.sent | The number of packets sent from the origin to the target during the network session. | True | Integer |
Packets Received | action.network.packet_information.received | The number of packets received by the origin from the target during the network session. | True | Integer |
Packets Total | action.network.packet_information.total | The total number of packets exchanged during the network session. | True | Integer |
Bytes Sent | action.network.byte_information.sent | The number of bytes sent from the origin to the target during the network session. | True | Integer |
Bytes Received | action.network.byte_information.received | The number of bytes received by the origin from the target during the network session. | True | Integer |
Bytes Total | action.network.byte_information.total | The total number of bytes exchanged during the network session. | True | Integer |
Observation Actions
Observation actions are performed by the Axon analytics subsystem.
Field Name | Canonical ID | Description | Mappable? | Data Type |
|---|---|---|---|---|
Observation Details | action.observation.json | A serialized JSON of all observations associated with the analytics rule. | False | Long_Text |
Observation Group | action.observation.key | An array of schema fields used in observation. | False | String |
Observation Group Num | action.observation.key_length | The length of the observation group array. | False | Integer |
Scan Actions
Scan actions describe scan activities performed by vulnerability management, EDR/MDR, and other related solutions.
Field Name | Canonical ID | Description | Mappable? | Data Type |
|---|---|---|---|---|
Scan ID | action.scan.id | An identifier assigned by the scanning engine to track the different phases of the scan. | True | String |
Scan Infections | action.scan.infected_files | The number of infected files or objects detected during the scan. | True | Integer |
Scan Items | action.scan.items_scanned | The number of files or objects scanned. | True | Integer |
Scan Omissions | action.scan.items_omitted | The number of files or objects excluded from the scan. | True | Integer |
Scan Threats | action.scan.threats_found | The number of threats detected during the scan. | True | Integer |
Scan Type | action.scan.type | The type of scan performed. | True | String |
Object Fields
Objects have unique sets of fields that are only relevant for a specific context.
General Object Field
Field Name | Canonical ID | Description | Mappable? | Data Type |
|---|---|---|---|---|
Object Type | object.type | The type of object identified within the message. | True | String |
Certificate Object Fields
Contains attributes tied to certificates found within messages.
Field Name | Canonical ID | Description | Mappable? | Data Type |
|---|---|---|---|---|
Cert Subject | object.certificate.subject | The Distinguished Name of the certificate. | True | String |
Cert Serial | object.certificate.serial_number | The unique serial number assigned to the certificate by the certification authority that issued the certificate. | True | String |
Cert Issuer | object.certificate.issuer | The Distinguished Name or Common Name of the certification authority that issued the certificate. | True | String |
Cert Issue Date | object.certificate.issue_date | The timestamp of when the certificate was issued by the certification authority. | True | Date |
Cert Exp Date | object.certificate.expiration_date | The timestamp of when the certificate expires and is no longer valid. | True | Date |
| Cert Thumbprint | object.certificate.thumbprint | Assigned to the thumbprint of the certificate. | True | String |
Database Object Fields
Contains attributes for database and database table.
Field Name | Canonical ID | Description | Mappable? | Data Type |
|---|---|---|---|---|
Database ID | object.database.id | A unique ID to identify a database. | True | String |
Database Name | object.database.name | The name of the database. | True | String |
Database Instance | object.database.instance_name | An instance name of the database. This is frequently the same as the name attribute. | True | String |
Database Table ID | object.database.table.id | A unique ID to identify a database table. | True | String |
Database Table Name | object.database.table.name | The name of a database table. | True | String |
Device Object Fields
Contains attributes for devices that are not origin, target, or observer hosts.
Field Name | Canonical ID | Description | Mappable? | Data Type |
|---|---|---|---|---|
Device ID | object.device.id | A unique ID associated with the device object. | True | String |
Device Name | object.device.name | The name of the device. | True | String |
Device Type | object.device.type | The type of device. | True | String |
Device Serial | object.device.serial_number | The serial number of the device. | True | String |
Device Vendor | object.device.vendor_name | The vendor name of the device. | True | String |
Directory Object Fields
Contains attributes of directory objects such as those found within Microsoft Active Directory and other LDAP implementations.
Field Name | Canonical ID | Description | Mappable? | Data Type |
|---|---|---|---|---|
Directory Object ID | object.directory_object.distinguished_name | A unique ID associated with the directory object. | True | String |
Directory Object Name | object.directory_object.name | The name of the object. This is frequently represented as a DN. | True | String |
Directory Object Type | object.directory_object.type | The type of directory object. | True | String |
Directory Object DN | object.directory_object.distinguished_name | The Distinguished Name of the directory object. | True | String |
Domain Object Fields
These are used when a domain object is involved in an action.
Field Name | Canonical ID | Description | Mappable? | Data Type |
|---|---|---|---|---|
Domain ID | object.domain.id | A unique ID associated with the domain object. | True | String |
Domain Name | object.domain.name | The name of the domain object. | True | String |
Email Message Object Fields
Contains attributes of email messages, excluding those under the origin and target contexts.
Field Name | Canonical ID | Description | Mappable? | Data Type |
|---|---|---|---|---|
Email ID | object.email_message.id | A unique ID associated with the email message. | True | String |
Email Subject | object.email_message.subject | The subject of the email message. | True | String |
Email Header | object.email_message.smtp_header | The SMTP Header of the email message. | True | Long_Text |
Attachment MD5 | object.email_message.file.hash.md5 | The MD5 Hash of the email attachment. | True | MD5 |
Attachment SHA1 | object.email_message.file.hash.sha1 | The SHA1 Hash of the email attachment. | True | SHA1 |
Attachment SHA256 | object.email_message.file.hash.sha256 | The SHA256 Hash of the email attachment. | True | SHA256 |
Attachment SHA512 | object.email_message.file.hash.sha512 | The SHA512 Hash of the email attachment. | True | SHA512 |
Attachment Name | object.email_message.file.name | The name of the email attachment. | True | String |
Attachment Size | object.email_message.file.size | The size, in bytes, of the email attachment. | True | Integer |
Attachment Type | object.email_message.file.type | The type of the email attachment. | True | String |
File Object Fields
Contains attributes of file objects referenced within messages.
Field Name | Canonical ID | Description | Mappable? | Data Type |
|---|---|---|---|---|
File ID | object.file.id | A unique ID associated with the file object. | True | String |
File Name | object.file.name | The name, minus the path, of the file object. | True | String |
File Path | object.file.path | The path, minus the name, of the file object. | True | String |
File Size | object.file.size | The size, in bytes, of the file object. | True | Integer |
File Type | object.file.type | The type of the file object. | True | String |
File Version | object.file.version | The version of the file object. | True | String |
File Creation Time | object.file.creation_time | The timestamp when the file object was created. | True | Date |
File Last Access Time | object.file.last_accessed_time | The timestamp when the file object was last accessed. | True | Date |
File Modification Time | object.file.modification_time | The timestamp when the file object was modified. | True | Date |
File MD5 | object.file.hash.md5 | The MD5 Hash of the file object. | True | MD5 |
File SHA1 | object.file.hash.sha1 | The SHA1 Hash of the file object. | True | SHA1 |
File SHA256 | object.file.hash.sha256 | The SHA256 Hash of the file object. | True | SHA256 |
File SHA512 | object.file.hash.sha512 | The SHA512 Hash of the file object. | True | SHA512 |
File Signer | object.file.signature.signer | The digital signer of the file object. | True | String |
File Signature Status | object.file.signature.status | An indicator of whether the file object was digitally signed. | True | String |
File Signature Validity | object.file.signature.validity | The validity of the file object’s digital signature. | True | String |
Group Object Fields
These are used when a group is the object involved in an action.
Field Name | Canonical ID | Description | Mappable? | Data Type |
|---|---|---|---|---|
Group ID | object.group.id | A unique ID for the group object. | True | String |
Group Name | object.group.name | The name of the group object. | True | String |
Group Domain | object.group.domain | The domain to which the group object belongs. | True | String |
Interface Object Fields
These are used when a host interface is involved in an action. This is not relevant in the network traffic action context.
Field Name | Canonical ID | Description | Mappable? | Data Type |
|---|---|---|---|---|
Interface ID | object.interface.id | A unique ID for the interface object. | True | String |
Interface Name | object.interface.name | The name of the interface object. | True | String |
Interface Alias | object.interface.alias | An alias name for the interface object. | True | String |
Interface Mode | object.interface.mode | The networking mode of the interface object. | True | String |
Policy Object Fields
Contains attributes for policy objects referenced within messages.
Field Name | Canonical ID | Description | Mappable? | Data Type |
|---|---|---|---|---|
Policy ID | object.policy.id | A unique ID for the policy object. | True | String |
Policy Name | object.policy.name | The name of the policy object. | True | String |
Policy Group | object.policy.group | The group to which the policy object belongs. | True | String |
Process Object Fields
Contains attributes for processes referenced within messages.
Field Name | Canonical ID | Description | Mappable? | Data Type |
|---|---|---|---|---|
Process ID | object.process.id | A unique ID for the process object. | True | String |
Process Name | object.process.name | The name, minus the path, for the process object. | True | String |
Process Path | object.process.path | The path, minus the name, for the process object. | True | String |
Process Command Line | object.process.command_line | The full command line recorded when executing the process. | True | Long_Text |
Process Command Args | object.process.command_args | The arguments used when executing the process. | True | Long_Text |
Process MD5 | object.process.hash.md5 | The MD5 Hash of the process object. | True | MD5 |
Process SHA1 | object.process.hash.sha1 | The SHA1 Hash of the process object. | True | SHA1 |
Process SHA256 | object.process.hash.sha256 | The SHA256 Hash of the process object. | True | SHA256 |
Process SHA512 | object.process.hash.sha512 | The SHA512 Hash of the process object. | True | SHA512 |
Process Signer | object.process.signature.signer | The digital signer of the process object. | True | String |
Process Signature Status | object.process.signature.status | An indicator of whether the process object was digitally signed. | True | String |
Process Signature Validity | object.process.signature.validity | The validity of the process object’s digital signature. | True | String |
Parent Process ID | object.process.parent_process.id | A unique ID for the parent process object. | True | String |
Parent Process Name | object.process.parent_process.name | The name, minus the path, for the parent process object. | True | String |
Parent Process Path | object.process.parent_process.path | The path, minus the name, for the parent process object. | True | String |
Parent Process Command Line | object.process.parent_process.command_line | The full command line recorded when executing the parent process. | True | Long_Text |
Parent Process Command Args | object.process.parent_process.command_args | The arguments used when executing the parent process. | True | Long_Text |
Parent Process MD5 | object.process.parent_process.hash.md5 | The MD5 Hash of the parent process object. | True | MD5 |
Parent Process SHA1 | object.process.parent_process.hash.sha1 | The SHA1 Hash of the parent process object. | True | SHA1 |
Parent Process SHA256 | object.process.parent_process.hash.sha256 | The SHA256 Hash of the parent process object. | True | SHA256 |
Parent Process SHA512 | object.process.parent_process.hash.sha512 | The SHA512 Hash of the parent process object. | True | SHA512 |
Parent Process Signer | object.process.parent_process.signature.signer | The digital signer of the parent process object. | True | String |
Parent Process Signature Status | object.process.parent_process.signature.status | An indicator of whether the parent process object was digitally signed. | True | String |
Parent Process Signature Validity | object.process.parent_process.signature.validity | The validity of the parent process object’s digital signature. | True | String |
Registry Object Fields
Contains attributes for Microsoft Windows Registry objects.
Field Name | Canonical ID | Description | Mappable? | Data Type |
|---|---|---|---|---|
Registry Key ID | object.registry_object.id | A unique ID for the registry key object. | True | String |
Registry Key | object.registry_object.key | The name of the registry key object. | True | String |
Registry Key Path | object.registry_object.path | The full registry path to the key object. | True | String |
Registry Root | object.registry_object.root_key | The root-level key, also called a hive. | True | String |
Resource Object Fields
Contains attributes for resource objects. These are frequently identified within cloud-based platforms such as Microsoft Azure, Amazon AWS, and Google Cloud.
Field Name | Canonical ID | Description | Mappable? | Data Type |
|---|---|---|---|---|
Resource ID | object.resource.id | A unique ID for the resource object. | True | String |
Resource Name | object.resource.name | The name of the resource object. | True | String |
| Resource Region | object.resource.region | The region assigned to a location/region for AWS and Azure Role Location. | True | String |
| Resource Type | object.resource.type | The type assigned to the Container. | True | String |
| Resource Group | object.resource.group | The group assigned to a Cluster Name, Kubernetes namespace or a container tag. | True | String |
Rule Object Fields
Contains attributes for any rule objects referenced within messages.
Field Name | Canonical ID | Description | Mappable? | Data Type |
|---|---|---|---|---|
Rule ID | object.rule.id | A unique ID for the rule object. | True | String |
Rule Name | object.rule.name | The name of the rule object. | True | String |
Rule Group | object.rule.group | The group to which the rule object belongs. | True | String |
Scheduled Task Object Fields
Contains attributes for any scheduled task or Cron objects referenced within messages.
Field Name | Canonical ID | Description | Mappable? | Data Type |
|---|---|---|---|---|
Task Name | object.scheduled_task.name | The name of the task object. | True | String |
Task Run Account | object.scheduled_task.run_account | The account under which the task object runs. | True | String |
Task Logon Type | object.scheduled_task.logon_type | The authentication method used by the task account when running the task. This is part of Microsoft Windows Scheduled Tasks. | True | String |
Script Object Fields
Contains attributes for any Script objects referenced within messages.
Field Name | Canonical ID | Description | Mappable? | Data Type |
|---|---|---|---|---|
Script ID | object.script.id | A unique ID for the script object. | True | String |
Script Name | object.script.name | The name, minus the path, of the script object. | True | String |
Script Path | object.script.path | The path, minus the name, of the script object. | True | String |
Script Size | object.script.size | The size, in bytes, of the script object. | True | Integer |
Script Command Line | object.script.command_line | The full command line used to execute the script object. | True | String |
URL Object Fields
Contains attributes for any URL objects referenced within messages.
Field Name | Canonical ID | Description | Mappable? | Data Type |
|---|---|---|---|---|
Complete URL | object.url.complete | The full URL value from the message. | True | URL |
URL Category | object.url.category | The URL category as defined by the source. | True | String |
URL Type | object.url.type | The URL type (direct or referral) as defined by the source. | True | String |
URL Protocol | object.url.protocol | The protocol component of the URL object. | True | String |
URL Domain | object.url.domain | The domain component of the URL object. | True | String |
URL Port | object.url.port | The port component of the URL object. | True | Integer |
URL Path | object.url.path | The path component of the URL object. | True | String |
URL Query | object.url.query | The query component of the URL object. | True | String |
URL Fragment | object.url.fragment | The fragment component of the URL object. | True | String |
Threat Fields
These fields contain data relevant to threats detected by a log source. They can also be populated by Axon Analytics.
Field Name | Canonical ID | Description | Mappable? | Data Type |
|---|---|---|---|---|
Threat ID | threat.id | A unique ID for the threat object. | True | String |
Threat Name | threat.name | The name of the threat object. Typically a signature name. | True | String |
Threat Description | threat.description | A description of the threat. | True | String |
Threat Category | threat.category | The category of the threat assigned by the detection source. | True | String |
Threat Subcategory | threat.subcategory | The subcategory of the threat assigned by the detection source. | True | String |
Threat Severity | threat.severity | The severity of the threat. Separate from the general message severity. | True | String |
Threat CVE | threat.cve | The CVE(s) associated with the threat object. This field can also be populated through programmatic detection like unattributed fields. | True | CVE |
MITRE Tactic | threat.mitre_tactic | The MITRE ATT&CK tactic associated with the message. | True | String |
MITRE Technique | threat.mitre_technique | The MITRE ATT&CK technique associated with the message. | True | String |
Threat Evidence | threat.evidence | Any evidence provided by the detection system for the threat. | True | String |
Threat Detection Engine | threat.detection_engine | The engine, process, or service used to detect the threat. | True | String |
Threat Source | threat.source | The source of the detected threat. | True | String |
Threat Run Status | threat.run_status | An indicator of whether the detected threat is actively running on the target. | True | String |
Vendor Information Fields
These fields contain additional context as defined by the source, but are outside the context of the other containers.
Field Name | Canonical ID | Description | Mappable? | Data Type |
|---|---|---|---|---|
Vendor Message ID | vendor_information.id | A unique ID generated by the source that identifies the type of message. | True | String |
Vendor Description | vendor_information.description | A general description of the message provided by the source. | True | String |
Vendor Severity | vendor_information.severity | The severity of the message. This is separate from the threat severity. | True | String |
Vendor Log Type | vendor_information.log_type | A high-level category of the message assigned by the source. | True | String |
Vendor Log Subtype | vendor_information.log_subtype | A low-level category of the message assigned by the source. | True | String |
Vendor Ext Link | vendor_information.external_link | A link to the external system that generated the message. This is commonly used in alerting systems to provide a link back to the alert within the source. | True | Long_Text |
Vendor Ext ID | vendor_information.external_id | An ID generated by the source that traces back to an alert, case, or similar construct. | True | String |
Log Gen Time | vendor_information.log_generation_time | The timestamp that identifies when the message was generated by the source. | True | Date |
General Information Fields
These fields are all assigned by the Axon system as part of message processing.
Field Name | Canonical ID | Description | Mappable? | Data Type |
|---|---|---|---|---|
Common Event | general_information.common_event | A set of one or more easily understood tags assigned by Axon to describe the message. | False | String |
Standard Time | general_information.standard_message_time | A timestamp taken from the various timestamps in the message that most closely matches when the message was generated. | False | Date |
Standard Time Confidence | general_information.standard_time_confidence | The confidence value (High, Medium, Low) in the value of Standard Time being the time the message was generated. | False | String |
Collection Time | general_information.collection_time | The timestamp matching when the message was collected by Axon. | False | Date |
Processing Start Time | general_information.processing_start_time | The timestamp matching when Axon started processing the message. | False | Date |
Processing End Time | general_information.processing_end_time | The timestamp matching when Axon finished processing the message. | False | Date |
Message ID | general_information.message_id | A unique ID generated by Axon and assigned to the message. | False | String |
| Message Group ID | general_information.message_group_id | A unique ID generated by Axon and assigned during clustering/grouping. | False | String |
| Message Tags | general_information.tags | This field is currently reserved for future use. | False | String |
Tenant ID | general_information.tenant_id | The unique ID of the Axon tenant. | False | String |
| Exception Key | general_information.exception.key | The name of the exception key generated during signal processing, used for internal diagnostics. | False | String |
| Exception Message | general_information.exception.message | The full exception message generated during signal processing, used for internal diagnostics. | False | String |
| Exception Code | general_information.exception.code | The unique exception code generated during signal processing, used for internal diagnostics. | False | String |
Raw Message | general_information.raw_message | The full raw message received by the collector. | False | Long_Text |
Raw Message Size | general_information.raw_message_size | The size of the raw message in bytes. | False | Integer |
Log Source ID | general_information.log_source.id | A unique ID assigned by Axon to the message source. | False | String |
Log Source | general_information.log_source.name | The name of the log source. | False | String |
Log Source Type ID | general_information.log_source.type_id | A unique ID assigned by Axon to the log source type. | False | String |
Log Source Type | general_information.log_source.type_name | The name of the log source type. | False | String |
Processing Policy ID | general_information.processing_information.message_processing_policy_id | A unique ID assigned by Axon to the Message Processing Policy that processed the message. | False | String |
Processing Policy Name | general_information.processing_information.message_processing_policy_name | The name of the Message Processing Policy that processed the message. | False | String |
Processing Policy Version | general_information.processing_information.message_processing_policy_version | The version of the Message Processing Policy that processed the message. | False | String |
Processing Schema Version | general_information.processing_information.schema_version | The version of the data schema used when processing the message. | False | String |
Collector ID | general_information.transit_path.collector_id | A unique ID assigned by Axon to the Collector that collected the message. | False | String |
Transit Path | general_information.transit_path.complete | The complete transit path the message took formatted in JSON. | False | Long_Text |
| Truncated Original Message Size | general_information.original_message_size | The original size, in bytes, of a message that was truncated due to exceeding the maximum size limit per message. The size of the log after being truncated will appear in the Raw Message Size field. For more information, refer to the Maximum Log Size section of the Message Processing documentation. | False | String |
Unattributed Fields
These fields contain data that was programmatically detected by Axon without using a Message Processing Policy.
Field Name | Canonical ID | Description | Mappable? | Data Type |
|---|---|---|---|---|
Account Email | unattributed.account.email_address | A list of any email addresses detected in the message. | False | |
| Account Identity ID | unattributed.account.identity.id | This field is currently reserved for future use. | False | String |
| Account Identity Name | unattributed.account.identity.name | This field is currently reserved for future use. | False | String |
| Account Identity Tags | unattributed.account.identity.tags | This field is currently reserved for future use. | False | String |
MD5 Hash | unattributed.hash.md5 | A list of any MD5 Hashes detected in the message. | False | MD5 |
SHA1 Hash | unattributed.hash.sha1 | A list of any SHA1 Hashes detected in the message. | False | SHA1 |
SHA256 Hash | unattributed.hash.sha256 | A list of any SHA256 Hashes detected in the message. | False | SHA256 |
SHA512 Hash | unattributed.hash.sha512 | A list of any SHA512 Hashes detected in the message. | False | SHA512 |
| Host Identity ID | unattributed.host.identity.id | This field is currently reserved for future use. | False | String |
| Host Identity Name | unattributed.host.identity.name | This field is currently reserved for future use. | False | String |
| Host Identity Tags | unattributed.host.identity.tags | This field is currently reserved for future use. | False | String |
Host IP | unattributed.host.ip_address.value | A list of any IP addresses detected in the message. | False | IP |
Host City | unattributed.host.location.city | The resolved geographic city of the IP addresses detected in the message. | False | String |
Host Region/State | unattributed.host.location.region | The resolved geographic region or state of the IP addresses detected in the message. | False | String |
Host Country | unattributed.host.location.country | The resolved geographic country of the IP addresses detected in the message. | False | String |
Host Geo | unattributed.host.location.geo_location | The resolved geographic coordinates (latitude/longitude) of the IP addresses detected in the message. | False | Geo_Point |
Host MAC | unattributed.host.mac_address | A list of any MAC addresses detected in the message. | False | MAC |
Host Name | unattributed.host.name | The resolved hostname of the IP addresses detected in the message. | False | String |